JyotinderSingh opened a new pull request #3134: URL: https://github.com/apache/ozone/pull/3134
## What changes were proposed in this pull request? If a directory under an FSO bucket does not contain any subfiles/directories - set the recursive flag for Ranger#getAcl call to false. ### Scenario: **Ranger Policy 1:** Key Resource | Permission | User -- | -- | -- dir1/dir11, dir1/dir11/ | Read, Write, Delete | user2 **Ranger Policy 2:** Key Resource | Permission | User -- | -- | -- dir* | Read, Write, Delete | user1 **Case:** <p>1) user2 has created a directory dir1/dir11. Since the explicit policy defined for user2, it will successfully create the directories.</p> <p>2) user1 has recursive permission, he can create any dirs under " dir* ". Say, user1 created a file under directory "dir1/dir11/file".</p> <p>3) user2 issues recursive delete on "dir1/dir11". <strong>(Recursive flag is sent to Ranger from internal Ozone call)</strong>.</p> <pre class="code panel" style="border-width: 1px;" data-language="code-java">$ kinit user2 $ ozone fs -rm -R skipTrash o3fs:<span class="code-comment">//fso-buycket.vol1.fso-bucket/dir1/dir11</span></pre> <p><strong>Expected Result:</strong></p> <p>Fail to delete directory.</p> <p><strong>Actual Result:</strong></p> <p>Permission denied by Ranger.</p> <p><strong>Comments:</strong></p> <ul> <li>Since there is no permission for user2 with policy key resource dir*, Ranger is denying permission for users as access is not determined. Ranger has taken a conservative approach against all the defined policy paths irrespective of the given user who issues the recursive delete operation.</li> <li>Since there is a file under "dir1/dir11", we shouldn't allow this directory to be deleted, otherwise, this will lead to data loss.</li> </ul> <p><strong>Impact:</strong></p> <p>user2 will never be able to delete "dir1/dir11" since Ozone is always sending the recursive flag to the Ranger plugin - <strong>which is undesirable.</strong></p> <p><strong>Solution:</strong></p> <p>If no child exists under "dir1/dir11" then set the recursive flag to False and invoke Ranger#checkAcl.</p> <p><strong>Cost:</strong></p> <p>There will be an additional getChildren call on both DirectoryTable and FileTable at the Ozone side. Each of these would be a deterministic time call to RocksDB.</p> ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-6337 ## How was this patch tested? Unit Test added. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
